Revision 1.0

For Public Release 2007 February 15 16:00 UTC (GMT)

Contents

Cisco Response

Vulnerability Characteristics

The Exploitation of the Default Web Interface Administrative Credentials can be accomplished locally by using the default credentials shipped with some products. A user must visit a malicious website for this attack to be successful. If this is exploited, the attacker may change the network device configuration, may create a denial of service (DoS) condition or may gain complete control of the device. The attack vector is through TCP port 80. This vulnerability is not covered by a CVE ID.

Mitigation Technique Overview

The most preventive form of protection a home network administrator can take against these types of attacks is changing the default device password during the setup process. Many device types mentioned in the Symantec advisory ship with a default password or a blank password. Many devices in these categories also ship with software to aid in the device setup process. During the device setup process, the default or blank password should be changed to a non default password using strong password creation techniques. These techniques include the use of mixed-case letters, numbers, and punctuation symbols. For additional information on choosing a secure password, refer to the US-CERT Cyber Security Tip ST04-002 Choosing and Protecting Passwords, available at: http://www.us-cert.gov/cas/tips/ST04-002.html. During the use of the software setup programs supplied with these devices, the home network administrator is asked to change the default device password. If this step is completed, this will prevent the successful Exploitation of the Default Web Interface Administrative Credentials.

To reduce the risk that users will fall victim to Exploitation of the Default Web Interface Administrative Credentials, it is advisable to educate them about safe browsing. Countermeasures should also be implemented at the application level (the browser) through the scripting controls available in the browser. Scripting controls allow the definition of policy to restrict code execution. A standard strategy should consist of the following:

Disable all scripting languages interpreted by the browser.

Caution: Disabling scripting may result in a loss of functionality because many web applications use scripting. Take care to ensure that all required business applications are fully functional with scripting disabled.

Only follow links to known websites from trusted sources.

Enable URL verification (phishing detection) in the browser if available.

The effectiveness of any mitigation technique is dependent on specific customer situations such as product mix, network topology, traffic behavior, and organizational mission. Due to the variety of affected products and releases, customers should consult with their service provider or support organization to ensure any applied workaround is the most appropriate for use in the intended network before it is deployed.

Risk Management

Organizations are advised to follow their standard risk evaluation and mitigation processes to determine the potential impact of [this vulnerability|these vulnerabilities]. Triage refers to sorting projects and prioritizing efforts that are most likely to be successful. Cisco has provided documents that can help organizations develop a risk-based triage capability for their information security teams. Risk Triage for Security Vulnerability Announcements and Risk Triage and Prototyping can help organizations develop repeatable security evaluation and response processes.

Device-Specific Mitigation and Identification

The effectiveness of any mitigation technique is dependent on specific customer situations such as product mix, network topology, traffic behavior, and organizational mission. As with any configuration change, evaluate the impact of this configuration prior to applying the change.

Specific information about mitigation and identification is available for these devices:

Additional Information

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.